Kaspersky Lab at the 20th Virus Bulletin International Conference on IT Security

Kaspersky Lab participated in the 20th Virus Bulletin International Conference on IT Security which took place in Vancouver from 29 September to 01 October, 2010.

The VB conference is very much a major highlight of the anti-malware calendar, representing an opportunity for experts in the IT security field to share their research interests, discuss new methods and technologies and set new standards for the industry as a whole. Kaspersky Lab’s experts are traditionally key speakers at the event. This year, the Company’s leading analysts held forth in the corporate sector with presentations on the following topics:

'Unraveling Stuxnet' by Costin Raiu, Director of the Global Research & Analysis Team, and representatives of the Microsoft Corporation

‘How Much Do You Cost? The Black Market Price of Your Digital Data’ by Dmitry Bestuzhev, Senior Regional Researcher, Latin America, Global Research & Analysis Team

‘Automated Targeted Attacks: The New Age of Cybercrime’ by Stefan Tanase, Senior Security Researcher, EEMEA, Global Research & Analysis Team

‘Russian Cybercriminals on the Move: Profiting From Mobile Malware’ by Denis Maslennikov, Senior Malware Analyst, Mobile Research Group Manager

Costin Raiu, Director of the Global Research & Analysis Team and representatives of the Microsoft Corporation

Detailed analysis of Stuxnet has shown that it is one of the most complex, well thought out and overdesigned malware samples discovered in the wild to date. This talk will provide a timeline of the events and discoveries surrounding Stuxnet. The presentation will unravel the malware, component by component, providing the details and the reasoning behind the design.

Any computer-related data such as credit card numbers, ICQ UINs, premium RapidShare accounts, social networking and email accounts, etc. make very attractive targets for cybercriminals. Stolen credit cards are priced according to the country of issue, and the same goes for any popular premium web service accounts, including online gaming servers.

This presentation shows how the cybercriminals get their hands on such confidential data, how they make and launder money, how this can be prevented and what steps antivirus vendors are taking to combat this threat. Dmitry will also discuss the huge increase in data theft using Trojans during the last 5 years, as well as which credit card systems and social networks are most frequently attacked, and which countries are most active in producing and distributing data theft malware. Finally, and possibly most interesting of all - using our HTML frame, anyone will be able to calculate how much his or her own profile is worth to the criminals.

There's no doubt cybercriminals are using targeted attacks to get deep inside corporate and SMB networks. In such an attack, one or several specific employees are usually targeted. Personal information that is unwittingly posted on social networks by such employees on a day-to-day basis is a real goldmine for cybercriminals looking to profile a person as accurately as possible to ensure the success and efficiency of their targeted attack. All the personal information they share can easily be collected by someone with malevolent intentions for later use in sophisticated social engineering attacks.

Usually, targeted attacks come with serious consequences, as recent public examples have shown. Given the popularity of intellectual property theft and corporate espionage, it is becoming extremely important to implement new, effective security strategies.

Everybody wonders just how much money cybercriminals who target mobile devices actually make. If this activity wasn't in the least bit profitable, then it almost certainly wouldn't exist. The fact that people fall victim to such attacks demonstrates that, just as in other areas, the bad guys are making extensive use of social engineering to exploit the human factor. It should also be noted that security solutions for mobile devices aren't widely used as the majority of people don't even know that mobile malware exists and is in the wild. These two factors contribute to the number of attacks on mobile devices.

Russia provides a unique environment for high commercial value attacks on mobile phones and smartphones: the lack of a clear market leader in mobile operating systems and weak legislation really help the bad guys. It's not only in Russia that millions of dollars have been lost due to mobile malware, and cybercriminal groups specializing in different areas are working closely together to make more and more money.

This presentation will examine the mobile malware most commonly used by Russian cybercriminals and will explain how they profit from such activities.

Alexey Kadiev
Malware Analyst, and Darya Gudkova, Head of Content Analysis & Research

Nowadays, when almost every user has an antivirus solution and knows at least something about Internet security, it's becoming harder for malware writers to infect a victim's computer. By creating an efficient, web-based infection method using JavaScript code, and coupling that with a knowledge of the social engineering techniques used by phishers and spammers, one can construct an ideal scheme for infecting computers. At Kaspersky Lab, we noticed a new massive attack using this scheme in the middle of June 2010, and we have been tracking it ever since then.

Although other similar schemes appeared a year ago, they were not so sophisticated. This is the most important thing about the recent Pegel infections.

At the end of 2009, massive infections of legitimate websites with malicious JavaScript code became a serious problem, both for IT specialists and PC users all over the world. Since 2009, the first Gumblar variants and then some time later Pegel versions have used infected web servers for their propagation. Such a closed-loop concept used for building the Pegel botnet, in combination with the constant addition of new features, proved to be very effective and successful. Today, after more than a year of Pegel's existence, the situation is still getting worse.

In addition to automated social engineering techniques, exploit packs continue to be all the rage for mass exploitation across the Internet. It is easy to estimate that millions of Internet users have visited sites hosting exploit pack generated web pages. A long list of packs have come and gone over the past few years, leaving behind a handful of the most popular, like Eleonore, Phoenix, and Siberia.

We will dissect these packs, examine and compare their characteristics and effectiveness and how they have changed this past year, focusing most on recent ITW installations and events. A long list of characteristics will be presented for this underground phenomenon: pricing models, development challenges, implementation, exploits, low-level technical details of the shellcoding, and, some of the payloads themselves.

Roel Schouwenberg, Senior Anti-Virus Researcher, Americas, Global Research & Analysis Team
and Costin Raiu, Director of the Global Research & Analysis Team, and representatives of the Microsoft Corporation

The discovery of the Stuxnet worm by VirusBlokAda can easily be considered as one of the most important malware events of 2010. The initial announcement that the worm was using a zero-day vulnerability in Windows that exploited LNK files was overshadowed by the news that its rootkit driver was signed with a valid certificate from Realtek, a very well-known Taiwanese hardware developer. The discovery of a second signed driver by ESET, this time with a certificate from JMicron, spawned a lot of speculation about the origin of the certificates and the general implications of the signature trust model in Windows.

Interestingly, one of ZeuS' functions is the theft of digital certificates, such as the ones used in the Stuxnet rootkit drivers. Earlier this year, we got the chance to examine a server used as a ZeuS drop zone along with 2125 PFX files containing stolen certificates from many different companies and individuals. This presentation will take a look at the various 2125 certificates stolen by this ZeuS Trojan and the possible links with the Stuxnet incident.

Trojan-Ransoms are not new; it’s now more than 20 years since the first variant was created. Yet they are currently demonstrating a very rapid spread in Russia and other countries of the former Soviet Union, leaving the rest of the world relatively undisturbed. At least, for now!

The social engineering techniques used to infiltrate and ransom evolve rapidly and the technical complexity of these malicious programs increases with every variant. Additionally, their authors are on a fierce battle to counteract antivirus protection of every type. Trojan-Ransoms in Russia have become an effective tool for the cybercriminals – mainly because it is highly profitable, easy and relatively safe! We believe the reason for the local popularity of these malicious programs to be a favorable environment from a legal, cultural and educational point of view.

The presentation will look at all aspects of this ‘Russian phenomenon’, including: the capabilities of the cybercriminals’ organizations, shutting the cybercriminals’ schemes down and prosecuting the offenders and the level of available anti-malware protection.